What Is a Business Email Compromise (BEC) Scam?

Businesses rely heavily on email because it is cost-effective, convenient and fast. But criminals now use this indispensable business tool to conduct business email compromise (BEC) scams. The Federal Bureau of Investigation (FBI) defined BEC as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.” A BEC scam usually involves the spoofing of legitimate business email accounts. The fraudster uses the hijacked business email account to instruct an unknowing employee to wire huge amounts of money to foreign accounts. According to the Australian Competition and Consumer Commission’s 2015 Targeting Scam Report, there were more than 100,000 reports of scams in Australia in 2015. In the same year, the country lost AUD 84.9 million to scams.

BEC scams have five versions, which are the following:

The Bogus Invoice Scheme

This BEC scam is also known as “Super Swindle” and the “Invoice Modification Scheme.” The “Bogus Invoice Scheme” targets businesses working with foreign suppliers. The fraudster contacts the client via phone, fax or email, requesting the latter to either change the payment location or to wire payment to a fake account.

CEO Fraud

As its name suggests, “CEO Fraud” (also known as “Business Executive Scam,” “Masquerading” and “Financial Industry Wire Fraud”) involves the spoofing of a business executive’s email account. The fraudster, posing as the business executive, will email another employee, requesting for a wire transfer to the fraudster’s bank account. In other instances, the fraudster directly emails a financial institution to transfer money to a bank (where his bank account is registered).

Account Compromise

In this BEC scam, the fraudster hacks the employee’s or business executive’s actual email instead of spoofing it. The fraudster then uses the hacked email account to request for invoice payments from the vendors found in the hacked email’s contact list. The vendors will be instructed to wire their payments to the fraudster’s bank accounts.

Attorney Impersonation

To appear more credible, a fraudster will sometimes pretend to be a lawyer or a representative of a law firm. He will contact a company’s employee or CEO, claiming to be resolving a sensitive financial issue. The fraudster will then pressure the employee or CEO into “helping them address” the financial issue by secretly wiring money to his bank account. To make the “Attorney Impersonation” scam more effective, the fraudster will sometimes carry it out at the end of the workday or workweek, when people already want to rest and are therefore more impatient when it comes to addressing last-minute issues.

Data Theft

This BEC scam targets the email accounts of the employees of a specific department within a company. The fraudster uses their emails to ask for identity-related information about the company’s other employees or executives. Once the fraudster obtains the said information, he will use the latter for more serious BEC scams targeting the company itself.

Companies should never take BEC scams lightly. According to the FBI, from 2013 to 2015, BEC scams affected an estimated 22,000 businesses worldwide and resulted in more than USD 3.1 billion in total losses. Moreover, since January 2015, BEC scams’ identified exposed losses rose by 1,300 percent―a figure which translates to an average loss of USD 140,000 per scam. And aside from massive financial losses, BEC scams can likewise lead to reputational damage and loss of consumer confidence.

But the good news is that BEC scams can be easily prevented. Companies can prevent them firstly by raising employee awareness about BEC scams. They should be trained on how to identify BEC scams and what they should do about them. Companies can also impose other security measures like staying updated on clients’ paying habits and confirming fund transfer requests via phone (using known familiar numbers instead of the numbers specified in the email). BEC scams may be growing increasingly sophisticated, but companies need not fall prey to them.